US12095755B1ActiveUtilityA1

Techniques for simultaneously accessing multiple isolated systems while maintaining security boundaries

70
Assignee: ORACLE INT CORPPriority: Oct 13, 2020Filed: Oct 6, 2023Granted: Sep 17, 2024
Est. expiryOct 13, 2040(~14.3 yrs left)· nominal 20-yr term from priority
H04L 63/20H04L 65/1069H04L 63/126H04L 63/0442H04L 63/08H04L 65/4015
70
PatentIndex Score
0
Cited by
12
References
18
Claims

Abstract

Techniques are described for using a single application to interact with multiple separate realms simultaneously while maintaining data security boundaries. For example, a web browser may be used to access and interact with the multiple separate secure realms while maintaining data security boundaries between the systems. Multiple concurrent sessions may be established for a user between the web browser and multiple realms. Separate sets of security credentials (e.g., credentials used for authentication and authorization purposes) may be used to establish the sessions and for operations performed in the realms via the sessions. The application can also execute logic (e.g., via machine-executable code or instructions) for automating operations performed in the realms, such as, automating the initiation of a certain operation in one realm based upon a response received from another realm, causing operations to be initiated in two different realms such that the operations overlap in the time; and the like.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method, comprising:
 establishing a first session between an application and a first realm, where establishing the first session includes:
 receiving, by a first access management server, from the application, a first set of one or more user credentials; 
 authenticating, by the first access management server, the application based on the first set of one or more user credentials; 
 in response to authenticating, generating, by the first access management server, a first security token for the first session for the application; and 
 sending, by the first access management server, to the application, the first security token, where the application stores the first security token and a first set of one or more keys for the first session in a first isolated data store, the application sends a first request to the first realm via the first session using one or more of the first set of one or more keys and without re-authentication, the first request requesting a first task to be performed in the first realm, where the first realm performs the first task and sends to the application via the first session a particular status code generated based on performing the first task, and wherein the first task is for a first tenancy in the first realm; and 
 
 while the first session is active between the first realm and the application, establishing a second session between the application and a second realm, where establishing the second session includes:
 receiving, by the first access management server or a second access management server, from the application, a second set of one or more user credentials; 
 authenticating, by the second access management server or the second access management server, the application based on the second set of one or more user credentials; 
 in response to authenticating, generating, by the first access management server or the second access management server, a second security token for the second session for the application; and 
 sending, by the first access management server or the second access management server, to the application, the second security token, where the application stores the second security token and a second set of one or more keys for the second session in a second isolated data store that is separate from the first isolated data store, isolates the first session with the first realm from the second session with the second realm so that information is not shared between the first realm and the second realm, and sends a second request to the second realm via the second session using one or more of the second set of one or more keys and without re-authentication in response to receiving the particular status code from the first realm, the second request requesting a second task to be performed in the second realm, where the second realm performs the second task, and wherein the second task is for a second tenancy in the second realm. 
 
 
     
     
       2. The method of  claim 1 , wherein the first tenancy is for a first customer, and the second tenancy is for a second customer, the first tenancy includes a first compute, a first memory, and first networking resources provided in the first realm by a cloud services provider, and the second tenancy includes a second compute, a second memory, and second networking resources provided in the second realm by the cloud services provider. 
     
     
       3. The method of  claim 1 , further comprising:
 receiving, by the first access management server, from the application, a first public key, where the application generated a first asymmetric key pair including a first private key and the first public key, the first set of one or more keys for the first session includes the first private key, and the first security token includes the first public key; and 
 receiving, by the first access management server or the second access management server, from the application, a second public key, where the application generated a second asymmetric key pair including a second private key and the second public key, the second set of one or more keys for the second session includes the second private key, and the second security token includes the second public key. 
 
     
     
       4. The method of  claim 3 , wherein the first set of one or more user credentials and the second set of one or more user credentials are received in an encrypted form, and further comprising:
 decrypting, by the first access management server, the first set of one or more user credentials; 
 receiving, by the first access management server, from the application, a first digital signature generated using the first private key; 
 validating, by the first access management server, the first digital signature using the first public key; 
 decrypting, by the first access management server or the second access management server, the second set of one or more user credentials; 
 receiving, by the first access management server or the second access management server, from the application, a second digital signature generated using the second private key; and 
 validating, by the first access management server or the second access management server, the second digital signature using the second public key. 
 
     
     
       5. The method of  claim 3 , wherein the first request includes the first security token and a first digital signature generated using the first private key, the first realm validates the first digital signature using the first public key included in the first security token, the second request includes the second security token and a second digital signature generated using the second private key, and the second realm validates the second digital signature using the second public key included in the second security token. 
     
     
       6. The method of  claim 1 , wherein the particular status code indicates that the first task has completed successfully. 
     
     
       7. A method, comprising:
 establishing a first session between an application and a first realm, where establishing the first session includes: 
 receiving, by a first access management server, from the application, a first set of one or more user credentials; 
 authenticating, by the first access management server, the application based on the first set of one or more user credentials; 
 in response to authenticating, generating, by the first access management server, a first security token for the first session for the application; and 
 sending, by the first access management server, to the application, the first security token, where the application stores the first security token and a first set of one or more keys for the first session in a first isolated data store, the application sends a first request to the first realm via the first session using one or more of the first set of one or more keys and without re-authentication, the first request requesting a first task to be performed in the first realm, where the first realm performs the first task, and wherein the first task includes installing a set of one or more updates at the first realm; and 
 while the first session is active between the first realm and the application, establishing a second session between the application and a second realm, where establishing the second session includes: 
 receiving, by the first access management server or a second access management server, from the application, a second set of one or more user credentials; 
 authenticating, by the second access management server or the second access management server, the application based on the second set of one or more user credentials; 
 in response to authenticating, generating, by the first access management server or the second access management server, a second security token for the second session for the application; and 
 sending, by the first access management server or the second access management server, to the application, the second security token, where the application stores the second security token and a second set of one or more keys for the second session in a second isolated data store that is separate from the first isolated data store, isolates the first session with the first realm from the second session with the second realm so that information is not shared between the first realm and the second realm, and sends a second request to the second realm via the second session using one or more of the second set of one or more keys and without re-authentication after sending the first request and before the first task is completed, the second request requesting a second task to be performed in the second realm, where the second realm performs the second task, and wherein the second task includes installing the set of one or more updates at the second realm. 
 
     
     
       8. The method of  claim 7 , further comprising:
 determining, by the first access management server, a first set of access privileges based on the first set of one or more user credentials; 
 generating, by the first access management server, a first digital signature for the first security token using a first private key associated with the first access management server, where the first security token includes information about the first set of access privileges; 
 determining, by the first access management server or the second access management server, a second set of access privileges based on the second set of one or more user credentials; and 
 generating, by the first access management server or the second access management server, a second digital signature for the second security token using the first private key associated with the first access management server or a second private key associated with the second access management server, where the second security token includes information about the second set of access privileges. 
 
     
     
       9. The method of  claim 7 , further comprising:
 sending, by the first access management server, to the application, session information including a first session key and a first identity token. 
 
     
     
       10. The method of  claim 7 , wherein the application comprises a web browser, the first realm includes a first set of data centers, and the second realm includes a second set of data centers. 
     
     
       11. The method of  claim 7 , wherein the first task further includes at least one of provisioning a resource, utilizing a resource, updating configurations, and modifying a first tenancy, and wherein the second task further includes at least one of provisioning a resource, utilizing a resource, updating configurations, and modifying a second tenancy. 
     
     
       12. The method of  claim 7 , wherein the first isolated data store is a first local IndexedDB, and wherein the second isolated data store is a second local IndexedDB. 
     
     
       13. A system comprising:
 a first non-transitory computer-readable storage medium, storing first computer-executable instructions that, when executed, cause one or more first processors of a first computer system to perform a first method comprising:
 establishing a first session between an application and a first realm, where establishing the first session includes:
 receiving, from the application, a first set of one or more user credentials; 
 authenticating the application based on the first set of one or more user credentials; 
 in response to authenticating, generating a first security token for the first session for the application; and 
 sending, to the application, the first security token, where the application stores the first security token and a first set of one or more keys for the first session in a first isolated data store, the application sends a first request to the first realm via the first session using one or more of the first set of one or more keys and without re-authentication, the first request requesting a first task to be performed in the first realm, where the first realm performs the first task and sends to the application via the first session a particular status code generated based on performing the first task, and wherein the first task is for a first tenancy in the first realm; 
 
 
 a second non-transitory computer-readable storage medium, storing second computer-executable instructions that, when executed, cause one or more second processors of a second computer system to perform a second method comprising:
 while the first session is active between the first realm and the application, establishing a second session between the application and a second realm, where establishing the second session includes:
 receiving, from the application, a second set of one or more user credentials; 
 authenticating the application based on the second set of one or more user credentials; 
 in response to authenticating, generating a second security token for the second session for the application; and 
 sending, to the application, the second security token, where the application stores the second security token and a second set of one or more keys for the second session in a second isolated data store that is separate from the first isolated data store, isolates the first session with the first realm from the second session with the second realm so that information is not shared between the first realm and the second realm, and sends a second request to the second realm via the second session using one or more of the second set of one or more keys and without re-authentication in response to receiving the particular status code from the first realm, the second request requesting a second task to be performed in the second realm, where the second realm performs the second task, and wherein the second task is for a second tenancy in the second realm. 
 
 
 
     
     
       14. The system of  claim 13 , wherein the second request is received at the second realm after the first request is received at the first realm and before the first task is completed at the first realm. 
     
     
       15. The system of  claim 14 , wherein the particular status code indicates that the first task was initiated successfully and is currently in progress. 
     
     
       16. The system of  claim 13 , wherein the first tenancy is for a first customer, the first tenancy includes a first compute, a first memory, and first networking resources provided in the first realm by a cloud services provider, the second tenancy is for second customer, and the second tenancy includes a second compute, a second memory, and second networking resources provided in the second realm by the cloud services provider. 
     
     
       17. The system of  claim 13 , wherein the first task comprises installing a set of one or more updates at the first realm, and wherein the second task comprises installing the set of one or more updates at the second realm. 
     
     
       18. The system of  claim 13 , wherein the application comprises a web browser, wherein the web browser stores the first set of one or more keys such that the first set of one or more keys is not extractable, and wherein the web browser stores the second set of one or more keys such that the second set of one or more keys is not extractable.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.